Getting Composer to work with GitHub tokens on Shippable
Composer is a dependency manager for PHP. If you're using it in your projects and running builds on Shippable, you might notice that once in a while your builds fail with a dangerous looking error:
Could not fetch https://api.github.com/repos/twilio/twilio-php/zipball/51ab2929a66d4455ecb470eafdfe2bab798945ff,
enter your GitHub credentials to go over the API rate limit
The credentials will be swapped for an OAuth token stored in /home/shippable/.phpenv/versions/5.4/composer/auth.json,
your password will not be stored
To revoke access to this token you can visit https://github.com/settings/applications
Build timed out
This can be a frustrating error to deal with, because Composer is waiting for user input and your build will just wait until it times out or you manually cancel it.
Wait, my build runs fine locally. Why does this happen only on Shippable?
Composer downloads dependencies directly from GitHub. By default it does this using unauthenticated requests and GitHub currently allows only 60 unauthenticated requests per hour. Unless you're using dedicated hosts on Shippable, you're running on our shared hosts. It looks like GitHub applies the rate limit to an IP address so if other builds running on the same host have already made 60 calls to GitHub in the last hour, your build is going to fail.
OK, so how do I get this to work on Shippable?
Composer lets you configure a GitHub OAuth token. Once you do this, you'll be making authenticated requests to GitHub and your rate limit immediately shoots up to 5,000 requests per hour. Because this is done with your unique token, the rate limit is all yours to consume and doesn't get shared with any other builds that might be running. Let's get started with this.
Step 1: Create a GitHub token
Generate a GitHub token. You only need read permission, so it's safe to uncheck all of the scopes for the token.
Step 2: Protect your token with Shippable environment variable encryption
Now that you have a token you want to tell composer to use it during your build. However, you shouldn't just check this in to your repository because it's a private token for your account. This is where Shippable's encrypted environment variables come in handy. Head over to your subscription dashboard on Shippable and click on the "Encrypted env vars" link:
Define a new environment variable. I'm going to call it MY_GITHUB_TOKEN
like so:
Step 3: Add the environment variable to your YML file
Paste the output from the encryption dialog exactly as it is to the env
section of your shippable.yml
file. When your build runs, this value will be decrypted and made available to your build as an environment variable called MY_GITHUB_TOKEN
.
Step 4: Configure Composer to use your token
The last step is to tell Composer to use your token. Just add this to your before_install
section and you're done:
before_install:
- composer config -g github-oauth.github.com $MY_GITHUB_TOKEN
That's it. Composer will now use your personal token when fetching dependencies from GitHub.